Chinese Hacking Raises Cyber Attack Disclosure Issue for Companies

Three U.S. public companies identified as Chinese hacking victims didn’t report the theft of trade secrets and other data to investors, despite rules designed to disclose significant events.

Two of the companies — aluminum maker Alcoa Inc. and metals supplier Allegheny Technologies Inc. — said the thefts weren’t “material” to their businesses and therefore don’t have to be disclosed under Securities and Exchange Commission rules designed to give investors information that may affect share prices.

The Justice Department, in an indictment unsealed on May 19, alleged that five Chinese military officials conspired to steal information from the U.S. nuclear power, metals and solar industries that would be useful to competitors in China. Attorney General Eric Holder called the data loss significant.

“The question is would an investor have cared if Chinese hackers broke into a company and were messing around the place?” Jacob Olcott, a principal focusing on cybersecurity at Good Harbor Security Risk Management LLC in Washington, said in a phone interview. “As an investor, show me the evidence that you reviewed this thoroughly.”

Federal and state regulators and lawmakers have been grappling with how to sharpen disclosure rules as banks and retailers have been slow to inform the public about cyber- attacks and the loss of customer data. Companies including Target Corp. have disclosed cyber-attacks in which customer data was stolen, affecting the company’s share price and leading to the ouster of the chief executive officer and other officials.

Scott Kimpel, a lawyer who previously worked on disclosure rules as a member of the SEC’s executive staff, said there is “a gray area where a lot of the companies are not perfectly clear on what they should be disclosing.”

Prominent Target

“What it would take is an enforcement action against someone prominent,” Kimpel, who is now a partner at Hunton & Williams LLP in Washington, said in an interview. “Until then you are going to continue to see the same approach taken by companies and the commission.”

There is no explicit requirement under the federal securities laws that require companies to disclose when they have been hacked, said Bradley J. Bondi, a partner at Cadwalader, Wickersham & Taft who leads its securities enforcement group and previously worked at the SEC.

While the SEC’s staff advised companies how to disclose cyber-attacks and risks in 2011, companies still have to exercise their judgment about whether that information is material for an investment decision.

“Modern issues such as cyber-attacks are assessed to a large degree under the lens of laws and rules that have predated computers,” Bondi said in an interview.

Alcoa Filing

Chinese military officials illegally breached computers at Alcoa, Allegheny Technologies and U.S. Steel Corp. between 2006 and 2014, the Justice Department said in its indictment.

Safeguarding data is a top priority for Alcoa, Monica Orbe, a spokeswoman for the New York-based company, said in an e-mail.

“To our knowledge, no material information was compromised during this incident which occurred several years ago,” Orbe said. She also pointed to the company’s annual SEC corporate filing for 2013, which acknowledged security breaches.

The filing said the company “has experienced cybersecurity attacks in the past, including breaches of our information technology systems in which information was taken, and may experience them in the future, potentially with more frequency or sophistication.”

The filing didn’t mention Chinese hackers and said “past attacks have not had a material impact on Alcoa’s financial condition or results of operations.”

Damage Assessment

Dan Greenfield, a spokesman for Allegheny Technologies based in Pittsburgh, said the company didn’t publicly disclose the incident because it determined “there was no material incident.”

He declined further comment on the Justice Department investigation, citing company policy to not discuss active litigation.

Courtney Boone, a spokeswoman for Pittsburgh-based U.S. Steel declined to comment, referring questions to the Justice Department. John Nester, an SEC spokesman, declined to comment.

Investors should be asking if the companies conducted an extensive and documented damage assessment into the attacks to determine there was no material impact, said Olcott, who led a congressional review as counsel to Senator Jay Rockefeller, a West Virginia Democrat, that resulted in the SEC guidance being issued in 2011.

Corporate Value

In announcing the indictment, Attorney General Holder said “the range of trade secrets and other sensitive business information stolen in this case is significant and demands an aggressive response.”

“This administration will not tolerate actions by any nation that seeks to illegally sabotage American companies and undermine the integrity of fair competition in the operation of the free market,” Holder said at a press conference in Washington.

Those indicted were officers in Unit 61398 of the Third Department of the Chinese People’s Liberation Army. The Justice Department identified them as Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu and Gu Chunhui.

Chinese Venture

Allegheny Technologies entered into a joint venture with a Chinese state-owned company to make precision rolled stainless steel strips used in the automotive, medical equipment and semiconductor industries, according the 56-page indictment.

The board of directors of the joint venture met in April 2012, and one day after the meeting Wen gained unauthorized access into company computers and stole the usernames and passwords for at least 7,000 employees, according to the indictment. It was “virtually every employee at the company, which would have allowed wide-ranging and persistent access to ATI’s computers,” the U.S. said in the indictment.

The attack would have allowed the hackers “to monitor activity on those systems and to steal ATI’s information in the future,” according to the indictment.

Stolen E-mails

Indeed, on at least three other occasions in May 2012, compromised computers communicated with the hacker’s infrastructure, “reflecting persistent access by the hackers,” the indictment said.

Alcoa announced in February 2008 a partnership with a Chinese state-owned company to acquire a substantial stake in a foreign mining company. About three weeks later, Sun infected computers of some Alcoa employees with malware by tricking them into opening an e-mail attachment frequently sent from a member of Alcoa’s board of directors, the indictment said.

The malware allowed hackers to steal “at least 2,907 e- mail messages along with approximately 863 attachments from Alcoa’s computers, including internal messages among Alcoa senior managers discussing the foregoing acquisition,” according to the indictment.

Sun and Wang hacked into the computers of U.S. Steel around February 2010 when the company was litigating a trade dispute with Chinese companies before the U.S. Department of Commerce and U.S. International Trade Commission. Some company employees were duped into clicking on malicious links in e-mails that downloaded malware onto their computers.

SEC Rules

Wang “used that unauthorized access to steal host names and descriptions for more than 1,700 U.S. Steel computers, including servers used for emergency response, network monitoring, network security,” and mobile devices, according to the indictment.

Under SEC rules, companies must disclose any information that would affect an investor’s willingness to own shares. The SEC told companies in October 2011 that cybersecurity risks and cyber-attacks could be material and may have to be disclosed if they affect other claims in a company’s public filings.

The SEC’s guidance said the theft of intellectual property could be a material event that should be disclosed to investors, while the effect on the company’s “operations, liquidity, and financial condition” should be described. Outcomes such as lower expected revenues, an increase in cybersecurity defense costs, and litigation costs should be described, the SEC wrote. The SEC has since been evaluating whether stronger rules are needed.

The companies affected by the cyber-attacks may in the coming weeks and months disclose the extent of the attacks to investors, said Hillary Sale, a professor of law and management at Washington University School of Law. Some of the businesses may not have immediately known the damage done by the attacks, which would have affected their decisions about disclosure, Sale said in a phone interview.

“Sometimes it is very easy to say with hindsight that the companies didn’t disclose what they should have, but what we really don’t know yet is what they knew and when,” Sale said.